summaryrefslogtreecommitdiff
path: root/cmdline
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2014-01-16 23:00:27 +0100
committerDavid Kalnischkies <david@kalnischkies.de>2014-01-16 23:50:39 +0100
commit5fd25d678f51cfa013643efe3429eb08b9504058 (patch)
treede74953f037d3db86c6425b729fdb30e596a7de6 /cmdline
parent9ce3cfc9309c55cc01018c88c1ca82779fd74431 (diff)
use gpg --homedir instead of explicit file placement
Avoids that gpg gets the idea it could use files from the user which weren't overridden specifically like secret keyring and trustdb as before.
Diffstat (limited to 'cmdline')
-rw-r--r--cmdline/apt-key.in27
1 files changed, 14 insertions, 13 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 463e4b4b4..0ced500db 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -5,22 +5,23 @@ unset GREP_OPTIONS
GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
-# gpg needs a trustdb to function, but it can't be invalid (not even empty)
-# so we create a temporary directory to store our fresh readable trustdb in
-TRUSTDBDIR="$(mktemp -d)"
-CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+# gpg needs (in different versions more or less) files to function correctly,
+# so we give it its own homedir and generate some valid content for it
+GPGHOMEDIR="$(mktemp -d)"
+CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';"
trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
-chmod 700 "$TRUSTDBDIR"
-# We also don't use a secret keyring, of course, but gpg panics and
+chmod 700 "$GPGHOMEDIR"
+# We don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available - and writeable for imports
-SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
+SECRETKEYRING="${GPGHOMEDIR}/secring.gpg"
touch $SECRETKEYRING
-GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
-GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
-
-# now create the trustdb with an (empty) dummy keyring
-$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING
-# and make sure that gpg isn't trying to update the file
+GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR"
+# create the trustdb with an (empty) dummy keyring
+# older gpgs required it, newer gpgs even warn that it isn't needed,
+# but require it nontheless for some commands, so we just play safe
+# here for the foreseeable future and create a dummy one
+$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1
+# tell gpg that it shouldn't try to maintain a trustdb file
GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
GPG="$GPG_CMD"